DDOS solution recommendation

Owen DeLong owen at delong.com
Sun Jan 11 20:55:59 UTC 2015

> On Jan 11, 2015, at 05:07 , Mike Hammett <nanog at ics-il.net> wrote:
> Why does it seem like everyone is trying to "solve" this the wrong way? 

Because it’s what we CAN do.

> Do other networks' abuse departments just not give a shit? Blackhole all of the zombie attackers and notify their abuse departments. Sure, most of the owners of the PCs being used in these scenarios have no idea they're being used to attack people, but I'd think that if their network's abuse department was notified, either they'd contact the customer about it issue or at least have on file that they were notified. When the unknowing end-user reached out to support over larger and larger parts of the Internet not working, they'd be told to clean up their system. 
> The way to stop this stuff is for those millions of end users to clean up their infected PCs. 

Agreed… However, let’s look at it from an economics perspective…

The average residential service provider doesn’t have the resources and doesn’t charge enough to build the resources to deal with this onslaught. It won’t be the service provider that the attacker blames for the initial few disconnections, it will be the websites in question.

So, let’s say XYZ.COM <http://xyz.com/> is a really popular site with lots of end-users. Some of those end-users are also unknowingly attacking XYZ.COM <http://xyz.com/>.

XYZ.COM <http://xyz.com/> black holes those customers (along with all the other zombies attacking them).

XYZ.COM <http://xyz.com/> gets angry calls from those customers and has no ability to contact the rest.
The rest don’t call their ISP or XYZ.COM <http://xyz.com/> because they don’t know that they are unsuccessfully trying to reach XYZ.COM <http://xyz.com/>, so they don’t see the problem.

Depending on hold times, etc., XYZ.COM <http://xyz.com/> loses some fraction of their customers (who instead of cleaning up their system, move into the second group who don’t care about the problem any more.) The rest may clean up their systems.

So, at the cost of some fraction of their customer base and a substantial burden on their call center, XYZ.COM <http://xyz.com/> has managed to clean up a relatively small percentage of systems, but accomplished little else.

I’m all for finding a way to do a better job of this. Personally, I’d like to see some sort of centralized clearing house where credible reporters of dDOS information could send some form of standardized (automated) report. The clearing house would then take care of contacting the responsible ISPs in a scaleable and useful manner that the ISPs could handle. Because the clearing house would be a known credible source and because they are providing the information in a way that the ISP can more efficiently utilize the information, it MIGHT allow the ISP to take proactive action such as contacting the user and addressing the problem, limiting the user’s ability to send dDOS traffic, etc.

However, this would require lots of cooperation and if such a clearing house were to evolve, it would probably have to start as a coalition of residential ISPs.


More information about the NANOG mailing list